If you thought that Apple had ironed out iOS 8 until now, here is another reason to worry — especially if you are a power Mail app user: Ernst and Young security researcher Jan Soucek has uncovered a bug that leaves millions of iOS users vulnerable to phishing attacks (via The Register).
Remember those password pop-up windows you get sometimes when you open the Mail app? Well, Soucek created a tool that is capable of generating “slick iCloud password phishing emails” and produces a pop-up that matches the one we are accustomed to.
The fact is, he discovered the bug earlier this year and immediately informed Apple about it. Unfortunately, they didn’t respond to the bug report.
“Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in HTML tag in e-mail messages not being ignored,” Soucek says.
“It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2.”
Soucek’s tool could allow scammers to collect your iCloud username and password, but they can customize it to collect whatever data they want to harvest.
He says the http-equiv tool targets victims only once by installing cookies on iDevices. Now that it’s been made public, we can only hope that Apple takes this flaw seriously. The bug is present in the latest version of iOS 8 as well, so you may want to think twice before entering your password into that pop-up window.